Byte slice references#8
Merged
jensneuse merged 7 commits intoadd-start-end-position-to-nodesfrom Jan 17, 2019
Merged
Conversation
…ByteSliceReferences
jensneuse
added a commit
that referenced
this pull request
Mar 11, 2020
Refactoring of subscriptions
devsergiy
pushed a commit
that referenced
this pull request
Aug 22, 2023
* re-enable normalization with inline fragments * chore: temporarily comment out broken tests * fix field selection merging * fix validation tests --------- Co-authored-by: David Stutt <david@wundergraph.com>
buger
added a commit
to buger/graphql-go-tools
that referenced
this pull request
Apr 30, 2026
…DC tests
- Remove tests/resolve-engine/ FLIP fixtures (708 auto-generated JSON files
plus mcdc-SYS-REQ-001-s1.json). They are not load-bearing in this audit:
no component declares fixture-backed evidence in proof.yaml, so the
flip_fixtures_exist and fixture_staleness_clean audit checks already pass
with "no components declare fixture-backed evidence -- not applicable".
Added tests/resolve-engine/ to .gitignore so locally regenerated fixtures
do not slip back into the tree.
- Remove pkg/doc.go workaround. It existed to satisfy reqproof's hardcoded
./pkg/... test scope (BUG-008); that bug is now fixed in reqproof itself
(per-target scope from proof.yaml is honored).
- Replace stub MCDC witnesses with real exercising tests where feasible:
* SYS-REQ-001 -> annotation moved onto TestCVE_BUG004_SkipFieldDepthPanic
* SYS-REQ-002 -> annotation moved onto TestCVE_BUG005_SkipFieldEmptyTypeNamesPanic
+ new TestMCDCReal_SYSREQ002_SkipFieldOnTypeNamesTrueRow
* SYS-REQ-003 -> new TestMCDCReal_SYSREQ003_FieldInfoMergeKeepsSlicesParallel
* SYS-REQ-004 -> new TestMCDCReal_SYSREQ004_FieldCopyPreservesParentOnTypeNames
* SYS-REQ-005 -> annotation moved onto TestCVE_BUG008_NilAsyncErrorWriterPanic
* SYS-REQ-010 -> new TestMCDCReal_SYSREQ010_ResolvableResetClearsState
* SYS-REQ-011 -> new TestMCDCReal_SYSREQ011_LoaderFreeNilsReferences
- Rename mcdc_witnesses_full_test.go to mcdc_witnesses_pending_test.go and
add an honest header explaining that the remaining 173 stubs satisfy the
spec-side row-coverage tracker but not code-level execution evidence; each
pending entry calls out the test infrastructure (federation simulator,
subgraph HTTP fixtures, subscription harnesses, planner-driven walker
setup) it still needs.
Diff stats: from 958 files +55,070/-2 to 246 files +332/-31,463.
Audit shape unchanged: 1 error from intentional CVE reproducer fails
(disclosure evidence for BUG wundergraph#4/wundergraph#5/wundergraph#8) and 1 warning from suspect_clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
buger
added a commit
to buger/graphql-go-tools
that referenced
this pull request
May 3, 2026
…undergraph#8 as Z3 counterexamples Adds v2/pkg/engine/resolve/safetyprobes/safetyprobes.go with 10 free-helper lemmas modeling real production bug shapes: - 7 PROVED safety properties under explicit preconditions (skip_field_on_type_names_safe_index, parent_on_type_names_safe_index, async_error_writer_present_dispatch, error_status_classify_total, fieldinfo_merge_length_monotonic, buf_pair_length_grows_on_write, fetch_path_descend_depth_increases) - 3 CEs surfacing the documented panic-DoS triplet: - skip_field_on_type_names_unguarded_index → CE stackLen=0 (BUG wundergraph#5) - parent_on_type_names_depth_unbounded → CE stackLen=1, depth=1 (BUG wundergraph#4) - async_error_writer_unguarded_dispatch → CE present=false (BUG wundergraph#8) All 3 CEs reproduce as real runtime panics, confirmed by re-running cve_reproducers_test.go which still FAILs against the unpatched code. The lemmas live in a dedicated package to avoid SMT preamble pollution from resolveloops/'s loop-invariant universals — co-locating the unguarded-CE goals with the loop helpers caused TIMEOUT on Z3 instead of CE. Splitting cuts solver time from 30s timeout to ~5ms CE. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
buger
added a commit
to buger/graphql-go-tools
that referenced
this pull request
May 3, 2026
Probe packages safetyprobes/, operationreportprobes/, astparserprobes/
removed; surviving lemmas attached as Go-comment funclit directives on
the production methods they describe:
(*Resolvable).skipFieldOnTypeNames skip_field_on_type_names_safe_index (PROVED)
(*Resolvable).skipFieldOnParentTypeNames parent_on_type_names_safe_index (PROVED)
(*FieldInfo).Merge fieldinfo_merge_length_monotonic (PROVED)
(*BufPair).WriteErr buf_pair_length_grows_on_write (PROVED)
LocationsFromPosition locations_from_position_index_safe (PROVED)
(*Tokenizer).read tokenizer_read_index_safe (PROVED)
(*Tokenizer).peek tokenizer_peek_index_safe (PROVED)
(*Tokenizer).Peek tokenizer_peek_unbounded_skip (CE)
(*Tokenizer).TokenizeWithLimits tokenize_with_limits_rbrace_underflow (CE),
local_depth_peak_monotonic (PROVED)
Honest-pruned 10 lemmas as tautologies-in-disguise or untraced
speculative-CE counterparts:
PP-2 / PP-4 skip-unguarded variants — speculative-CE, untraced;
per-host preconditions cannot be lemma-scoped so PROVES+CE
stacks erroneously prove the CE arm. Bug shape preserved
by precondition necessity on the migrated PROVES variants.
PP-5 / PP-6 async_error_writer present/unguarded — tautology /
untraced; BUG wundergraph#8 covered by cve_reproducers_test.go.
PP-7 error_status_classify_total — translator early-return
restriction makes every restructure a tautology; needs
host body translated.
PP-10 fetch_path_descend_depth_increases — tautology
(preDepth+1 > preDepth).
RR-1 / RR-8 has_errors_iff / separator_count — tautology-in-disguise
(each branch arm folds to (constant) == (constant)).
RR-5 locations_unguarded — speculative-CE, untraced.
RR-13 / RR-15 / RR-16 lbrace_increases / depth_limit_check / fields_count
— tautologies-in-disguise.
SYS-REQ traces:
- SYS-REQ-178/179/180/181/183 verified_by_extra updated from
LEMMA:astparserprobes/ to LEMMA:astparser/ pointing at the inline
lemma. SYS-REQ-181 stays formalization_status: violated (RBRACE
underflow CE on preDepth=0 is intact).
- SYS-REQ-182/184/185 evidence updated: Z3 lemma replaced with
code-review of the production handler (formalization_strategy stays
fretish to keep system_formalization_complete check happy).
- STK-REQ-016/017/018 evidence updated to inline-lemma references
+ honest-pruning notes for the deleted-as-tautology siblings.
- File-level Verifies-tags moved from astparserprobes.go to
v2/pkg/astparser/tokenizer.go.
Validation:
- graphql-go-tools-proof corpus: 63 lemmas, 58 PROVED + 5 CE, 0 errors.
- 5 surviving CEs: rbrace_underflow (SYS-REQ-181), peek_unbounded_skip
(SYS-REQ-180), resolvable_reset_clears_walker_state (SYS-REQ-010),
fieldinfo_merge_preserves_slice_parity (SYS-REQ-003),
field_copy_preserves_parent_on_type_names (SYS-REQ-004).
- Audit: 0 errors, 0 warnings.
- Reqproof self-test: 76 PROVED + 3 CE (no regression).
- Tyk: 67 PROVED (no regression).
Companion translator change in reqproof feat/z3-roadmap branch implements
"comment-anchor mode" so funclit lemmas can attach to MCDC-instrumented
host methods whose bodies the translator cannot model.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds start and end positions to tokens. It'll enable the parser to know the exact structure of a graphql document.
On the way to the implementation the token lexer got refactored to simplify the code and have less moving parts around. The lexer does no longer emit tokens with byte slices but will just return a reference to the start and end in the input byte slice. This does not only simplify the lexer codebase but also improves performance by ~10% which isn't too bad.
For Usability reasons a ByteSlice lookup method has been added to both, the parser and lexer which lets the user easily transform a ByteSliceReference to a ByteSlice in case the latter is needed.